Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

HSTS Browser Preloading Check ( Like SSL Labs ) #1248

Open
Verequies opened this issue Apr 26, 2019 · 1 comment

Comments

@Verequies
Copy link

commented Apr 26, 2019

Would be awesome if we could add an API check to see if a site is in preloaded in browsers.

API is available here: https://hstspreload.org
An example call would be: https://hstspreload.org/api/v2/status?domain=example.com

Which should return:
{ "name": "example.com", "status": "preloaded", "bulk": true }

The 'status' entry can have values "unknown" which we can take as not preloaded, "pending" meaning its being processed and "preloaded" which obviously means its preloaded.

As for the 'bulk' entry, on my own domain, it was false for a while, and doing an SSL Labs check it returned as only in Chrome. However today I checked and the 'bulk' entry showed true, and SSL Labs shows its preloaded into Firefox, IE and Edge as well as Chrome. So I'm willing to bet thats what 'bulk' means.

This shouldn't be a difficult addition to the great test that is testssl :)

@drwetter drwetter added the feature label Apr 26, 2019
@drwetter drwetter added this to the 3.1dev milestone Apr 26, 2019
@drwetter

This comment has been minimized.

Copy link
Owner

commented Apr 26, 2019

Thanks @Verequies for the suggestion / reminder. I thought it was already an issue here a long while back and I lost track but actually neither is the case. :-)

Likely a user check will need --phone-out though.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Projects
None yet
2 participants
You can’t perform that action at this time.